Solved: Re: After ISE 3.2 patch-3 External Authentication stopped working

dan.l.smith · ‎08-23-2023

Currently running ISE 3.2 patch2, after installing patch 3 external authentication stops working for all devices as well as logging into the ISE itself. Internal local login still works. While logged in with the local account the external indentities diag tool shows all green and test users function is successful. however the web ui and devices still do

After rolling back to Patch 2 everything works again.

Naresh Ginjupalli · ‎08-31-2023

@TravisIS We conducted internal validations on this and we are able to reproduce the issue internally and we are further validating the issue with CRL check. Will get back to you with more details on this shortly.

View solution in original post

TravisIS · ‎08-31-2023

@Naresh Ginjupalli - Thank you for looking into this - I will notify my TAC engineer of this as well; I still need to perform a couple of PCAPs for her but if you can reproduce the issue in the lab that's great!

View solution in original post

hslai · ‎09-01-2023

@dan.l.smith Please provide the SR number of your TAC case.

View solution in original post

balaji.bandi · ‎08-23-2023

May be worth opening TAC case to investigate for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas · ‎08-24-2023

You have provided no specific error messages or logs or anything for us to help you. "external authentication stops working" is not an actual error and could be anything.

Please see How to Ask The Community for Help and try again or submit your case to TAC and they may spend the time collecting the necessary information to troubleshoot it with you.

adamscottmaster2013 · ‎08-25-2023

@thomas: You sound like Cisco TAC, LOL....

@dan.l.smith: patch 3 is really buggy and IMHO, broken. I don't know how much QA Cisco did with patch 3 but it does appear they did a very poor job on it. FWIW, I also have a TAC case with Cisco on ISE 3.2 patch-3 and the case is currently in the hand of the BU.

thomas · ‎08-25-2023

@adamscottmaster2013 , no I'm not TAC but I do see many people posting questions here that do not understand how to help us help them. We cannot see their screens and their configs or know what their scenario is so they need to quickly and efficiently communicate it to us. I don't know why they think we can solve it faster than TAC with no visibility into the real problem. And we are all just trying to help here and we would rather not waste our time asking you 20 questions about your scenario to understand your situation.

Everyone here his trying to help but TAC gets paid to ask for troubleshooting details - we don't.

TravisIS · ‎08-25-2023

@adamscottmaster2013same experience here - as of Patch 3, CRL retrieval is failing for EAP-TLS auth. Had to check the option to continue with auth even if the CRL check fails.

Naresh Ginjupalli · ‎08-29-2023

Hi Adam,

Can I please get SR details, if it is already opened? We are noticed the issue with CRL and want to see if the scenario we discovered is the same as of yours.

adamscottmaster2013 · ‎08-29-2023

@Naresh Ginjupalli: Yes, I have the ticket opened three weeks ago and it is not CRL. The issue is upgrading the 3.2 cluster (1 PAN, 1 Secondary PAN, 2 PSN nodes) from patch-2 to patch-3. Followed the instruction and the PAN started upgrade process but the Secondary and PSN nodes did not get upgraded. It is currently being investigated by BU and developers.

Btw, how much "leverage" do you have in getting it resolved quickly :-)?

Naresh Ginjupalli · ‎08-29-2023

Hi Adam,

I am analysing the SR for more details and will get back to you shortly on this.

Naresh Ginjupalli · ‎08-29-2023

Apologize. I need SR number to expedite it.

TravisIS · ‎08-29-2023

Naresh - were you asking me to respond to the CRL issue or Adam?

Please let me know - I have a TAC case open for this defect (SR 696031940) however as it takes all dot1x auth down to replicate, I haven't yet had an opportunity to perform the necessary pcap etc but there are notes attached to the case you could look at for similarities if you like.

Naresh Ginjupalli · ‎08-29-2023

Thank you Travis, I looked at the SR and I am analysing the data provided in SR. Will get more details in a day.

TravisIS · ‎10-30-2023

Hi Naresh,

The CRL issue is now fixed in 3.2 Patch 4. There is a laundry list of fixed bugs in this patch, those of you on Patch 3 would do well to review the release notes at your earliest opportunity.

Naresh Ginjupalli · ‎08-31-2023

@TravisIS We conducted internal validations on this and we are able to reproduce the issue internally and we are further validating the issue with CRL check. Will get back to you with more details on this shortly.

TravisIS · ‎08-31-2023

@Naresh Ginjupalli - Thank you for looking into this - I will notify my TAC engineer of this as well; I still need to perform a couple of PCAPs for her but if you can reproduce the issue in the lab that's great!